Compliance Frameworks

Compliance Frameworks

ADCG maps gate evidence to compliance controls across five major frameworks. The system doesn't just collect evidence — it scores compliance posture and generates auditor-ready reports.

Supported Frameworks

Framework	Controls Mapped	Focus Area
SOC 2 Type II	Trust Service Criteria (CC1–CC9)	Security, availability, processing integrity, confidentiality, privacy
EU AI Act	Articles 9–15 (High-Risk AI)	Risk management, data governance, technical documentation, transparency, human oversight
FedRAMP	NIST 800-53 controls	Security controls for federal cloud services
HIPAA	Technical safeguards (§164.312)	Access controls, audit controls, integrity, transmission security
ISO 27001	Annex A controls	Information security management system

Gate-to-Control Mapping

Each gate's evidence maps to specific compliance controls:

Gate	SOC 2	EU AI Act	FedRAMP	HIPAA	ISO 27001
0–1 (Intake/Plan)	CC8.1	Art. 9	CM-3	§164.312(c)	A.12.1.2
3–4 (Analysis/Security)	CC7.1, CC7.2	Art. 15	SI-2, RA-5	§164.312(a)	A.12.6.1
5–6 (Testing/Coverage)	CC8.1	Art. 9	SA-11	§164.312(c)	A.14.2.8
7 (Behavioral)	CC7.2	Art. 10	SI-4	§164.312(b)	A.12.4.1
8 (Dependencies)	CC6.1	Art. 15	SA-12	§164.312(a)	A.15.1.2
10 (Approval)	CC1.4	Art. 14	AC-1	§164.312(a)	A.6.1.1
12 (Final Seal)	CC4.1	Art. 12	AU-10	§164.312(b)	A.12.4.3

Evidence Collection API

Pull compliance-relevant evidence programmatically:

# Get compliance report for a specific run
curl https://api.adcg.dev/v1/runs/{runId}/compliance \
  -H "Authorization: Bearer $ADCG_API_KEY" \
  -H "X-Tenant-ID: $ADCG_TENANT_ID" \
  -G -d "framework=soc2"

Scoring

Each framework control receives a score based on the gate evidence:

Score	Meaning
Pass	All mapped gates passed with full evidence. Control is satisfied.
Partial	Some mapped gates passed, others had non-critical issues. Review recommended.
Fail	One or more mapped gates failed. Control is not satisfied.

The aggregate compliance score is the percentage of controls in pass status.

Report Generation

ADCG generates structured compliance reports:

• Per-run reports — Compliance posture for a single pipeline execution
• Period reports — Aggregate compliance across all runs in a time window (e.g., quarterly SOC 2 evidence)
• Framework-specific exports — Formatted for the specific framework's evidence requirements

Reports include:

1. Control mapping table with pass/partial/fail per control
2. Evidence artifacts linked to each control
3. Gap analysis — which controls need attention
4. Historical trend — compliance score over time

What Auditors Receive

When an auditor requests evidence:

1. You generate a compliance report for the relevant period and framework
2. The report includes every evidence artifact, hash-verified
3. The auditor can independently verify the hash chain
4. No narrative required — the evidence speaks for itself